|
|
Reject mail with no valid recipients
Introduction
A lot of spam I see does not use valid recipients. Either many
address harvesters
are buggy, or spammers are trying to guess addresses.
The point is that a significant percentage (if not even the majority) of spams
don't carry valid recipients. Checking the validity of a recipient is much
cheaper than content-based analysis, as done with
milter-spamd.
However, filtering is often done on an intermediate relay, which doesn't
have a complete list of all valid recipients. Maintaining a copy of the
list on the relay would be cumbersome.
This is the sole purpose of milter-checkrcpt. It checks the validity of
recipients by asking another mail server, like your internal
mail server, which already has the complete list of valid users.
Invalid recipients are permanently removed from mails. Mails with no valid
recipients are refused.
See milter-regex for a general introduction
about milter plugins.
milter-checkrcpt runs on OpenBSD and is
BSD licensed.
Man page
MILTER-CHECKRCPT(8) OpenBSD System Manager's Manual MILTER-CHECKRCPT(8)
NAME
milter-checkrcpt - sendmail milter plugin for recipient checking against
server
SYNOPSIS
milter-checkrcpt [-d] [-h helo] [-m mailfrom] [-p pipe] [-r recipient]
[-s server] [-u user]
DESCRIPTION
The milter-checkrcpt plugin can be used with the milter API of
sendmail(8) to filter mails with invalid recipients. The validity of a
recipient address is determined by querying another mail server over
SMTP.
The options are as follows:
-d Don't detach from controlling terminal and produce verbose
debug output on stdout.
-h helo Use the specified string in the SMTP HELO line sent to the
server, instead of the default, the local host name.
-m mailfrom Use the specified string in the SMTP MAIL FROM line sent to
the server, instead of the default, milter-checkrcpt@helo.
-p pipe Use the specified pipe to interface sendmail(8). Default
is unix:/var/spool/milter-checkrcpt/sock.
-r recipient Test the specified recipient and terminate immediately.
-s server Use the specified server IP address. This option is manda-
tory.
-u user Run as the specified user instead of the default, _milter-
checkrcpt. When milter-checkrcpt is started as root, it
calls setuid(2) to drop privileges. The non-privileged us-
er should have read access to the configuration file and
read-write access to the pipe.
RECIPIENT CHECKING
Recipients are checked by contacting the specified server and performing
the following SMTP dialogue:
220 WELCOME
HELO helo
250 HELO ACCEPTED
MAIL FROM: <mailfrom@helo>
250 SENDER OK
RCPT TO: <recipient>
250 RECIPIENT OK
QUIT
221 CLOSING
If the server responds with positive completion reply codes (200-299) to
all commands sent, or with a temporary failure code (400-499) to any com-
mand sent, the recipient is considered valid. If any command results in
a different reply code, the recipient is considered invalid. If the con-
nection to the server cannot be established at all, the recipient is con-
sidered valid. Note that this dialogue does not actually send any mail
to the server. A single mail can have one or multiple recipients. The
plugin checks each recipient, removing any invalid recipients from the
mail. If no valid recipients are found, the plugin instructs sendmail(8)
to reject the mail with SMTP reply code 554 ("Transaction failed"), ex-
tended reply code 5.7.1 ("Permanent failure"), and reply text "No valid
recipients". Otherwise, the plugin accepts the mail.
SENDMAIL CONFIGURATION
The plugin needs to be registered in the sendmail(8) configuration, by
adding the following lines to the .mc file
INPUT_MAIL_FILTER(`milter-checkrcpt',
`S=unix:/var/spool/milter-checkrcpt/sock, T=S:30s;R:2m')
rebuilding /etc/mail/sendmail.cf from the .mc file using m4(1), and
restarting sendmail(8).
LOGGING
milter-checkrcpt sends log messages to syslogd(8) using facility daemon
and, with increasing verbosity, level err, notice, info and debug. The
following syslog.conf(5) section can be used to log messages to a dedi-
cated file:
!milter-checkrcpt
daemon.err;daemon.notice /var/log/milter-checkrcpt
SEE ALSO
mailstats(1), syslog.conf(5), sendmail(8), syslogd(8)
Simple Mail Transfer Protocol, RFC 2821.
HISTORY
The first version of milter-checkrcpt was written in 2007.
AUTHORS
Daniel Hartmeier <[email protected]>
OpenBSD 4.4 May 20, 2009 2
Sources
History
0.3: Mar 7, 2012
Do not refuse mail when the backend server reports temporary failure (4xx)
(suggested by Shinta Sato).
0.2: Jul 12, 2011
Don't generate space after MAIL FROM:/RCPT TO: (from Claus Assmann).
0.1: May 20, 2009
First public version.
Related links
- sendmail and milter
- SpamAssassin
- OpenBSD
- SMTP
- RFC 821 Simple Mail Transfer Protocol (SMTP)
- RFC 1893 Enhanced Mail System Status Codes
- Other milter plugins (multiple plugins can be chained)
- milter-regex filtering using regular expression (and links to other milter plugins)
|